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Abstract. Open Induction on Cantor space (01) is a principle classically equiva- 
lent to Dependent Choice, but, unlike the later, it is closed under double-negation 
translation and A-translation. In the context of Constructive Reverse Mathemat- 
' ics, Wim Veldman has shown that, in presence of Markov's Principle (MP), OI 

is equivalent to Double-negation Shift (DNS). In this paper, we use the proof of 
Veldman, and our previous work on interpreting DNS by delimited control op- 
' erators, to give a constructive proof of 01 using delimited control operators. We 

also point out that while the use of MP can be replaced by strengthening the DNS 
schema, one does have to use a countable axiom of choice in the proof. 

Keywords: open induction, axiom of choice, computational interpretation, con- 
structive proof, delimited control operators, realizability 
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Let A be an open subset of Cantor space, N — > {0, 1}, that is, let A be 
\ defined by an enumeration (p n ) of finite bit-strings such that a E A stands 

for 3n,k E N(an — pt), where ~an is the finite initial segment of length 
n of the bit-stream a. Define the lexicographic order /3 < a on infinite 
bit-streams by 3n E N(j8n = ccn A (/3 (n) = OAc(n) = l)). 

Then, the principle of Open Induction on Cantor space is the follow- 
ing statement: 

Va(V/3<a(/3eA)^aeA)^Va(aeA). (01) 

In other words, all infinite paths a through the infinite binary tree that 
is Cantor space can be shown to satisfy an open property A, if A is pro- 
gressive: a path a is in A when all paths /3 "left" of a are in A. Note that 
A can be uncountable and that < is not a well-founded order on infinite 
paths, in general. 



The principle 01 was isolated by Raoult lfl4l who using it give a 
version of Nash-Williams' proof of Kruskal's theorem that does not use 
the Axiom of Choice. Later, it was introduced to the field of Constructive 
Mathematics by Coquand (3), who also gave a justification of it in terms 
of bar induction [4J. Berger [2J showed that it is classically equivalent to 
the Axiom of Dependent Choice (DC), and that, unlike DC, it is closed 
under double-negation- and A-translation; this means, in particular, that 
there is a simple way to extract intuitionistic proofs (and programs) from 
classical proofs of Zj'-statements that use 01. 

In Constructive Reverse Mathematics, Veldman investigated the rela- 
tionships between various (more-than-)intuitionistic principles H18I17I . 
and, among others, proved the equivalence of 01 and Double-negation 
Shift (DNS) in presence of Markov's Principle (MP). Given that it is 
possible to obtain proofs for both MP |[8l and DNS [10] using construc- 
tive logical systems based on delimited control operators, it was a natural 
next step to attempt to provide a constructive proof of 01 based on de- 
limited control operators. 

This paper is organized as follows. In Section[2l we revise Veldman's 
proof of 01 from DNS and MP that uses a new logical principle, EnDec, 
as a stepping stone. In Section |3j we revise the logical system from |[TOl 
and use its ability to prove DNS5 (a slight strengthening of plain DNS) 
using delimited control operators, in order to prove EnDec without ex- 
plicitly using MP. In Section|U we give a formalized proof term for 01 in 
a variant of HA® based on the logical system from the previous section. 
In the final Section[5l we discuss future work and mention related works. 

2 From DNS and MP to Open Induction 

Notation Unless otherwise noted, the metavariables Z,m,n k range over 
natural numbers, N. We use p,q to denote finite bit-strings, B*, and 
0C,/3 for infinite bit-streams, M — > B. We omit type annotations for these 
metavariables. For p,q : B*, p * q denotes the concatenation of p and q. 
For a : N — > B and n : N, an denotes the finite initial segment of length 
n of a. Analogously, for p : N — > B and n:N,pn denotes the initial seg- 
ment of length n of p (if n is less or equal to the length of p, otherwise 
it is undefined). Concrete bit-strings are constructed using the notation 
(•); p* (0) thus means that a zero bit has been appended at the end of p. 



The notation /3 < a abbreviates 3n(fin = j3nAj3(«) = 0Aa(n) = 1). We 
abbreviate (Ai -> A 2 ) A (A 2 ->■ Ai) to (Ai A 2 ). 
Consider the following principle. 

Axiom 1 (EnDec). For any 5CN which is recursively enumerable, if 

for any A C N which is decidable and such that A C B, we have 
that if 3m(m G"A) then 3w(m ^AAmefi), 

then N C B (and hence 5 is decidable). 

In this section, we derive Open Induction on Cantor space from Double- 
negation Shift and Markov's Principle, by adapting the argument by Veld- 
man ||T8l of Open Induction on the closed unit interval [0, ljj. EnDec is 
a stepping stone. 

Theorem 1. EnDec implies Open Induction on Cantor space. 

Proof. Let A be an open subset of Cantor space, i.e. let it : N — > B* be 
an enumeration of finite bit-strings so that, for any a, a G A is a notation 
for 3/, m(al = 7Tm)@. Let also A be progressive, that is, 



We want to show that Va(a G A). It suffices to show () G B for the empty 
bit- string (), where B is defined as 



We show that B is equal to B*, using EnDec. Notice that B* is count- 
able and B is recursively enumerable^. It is left to to show that, for any 
decidable subset C C B, if 3q(q g C), then 3r(r ^CArGfi). 

Suppose that such C and q are given. If () G C C B, then we have that 
q G B. So we are done. We assume () G" C. Since C is decidable, we can 
define a such that 



3 Veldman showed the equivalence of 01 and EnDec, but in this paper we are just interested in 
one direction of the proof. 

4 The progressiveness ensures that A is non-empty. Hence we may take Tt to be a total function. 

5 B is recursively enumerable because it is defined by a Zf-formula: the bounded universal 
quantifier does not pose a problem, since it could be interpreted as a bounded minimization 
operator, for example like in §3.5 of 1111 . 



Va(V/3 < a(/3 eA)^aeA). 



p G B iff 3k\/q G B k 3l,m(-p*ql 




The bit-stream a tries to stay outside of C for as long as possible, first 
trying to "turn left" (0) before "turning right" (1). If that is not possible, 
not only is a(n +1) G C C B, but, thanks to the definition of B, also 
an G B. 

Now, we see that it is not difficult to find an initial segment of a that 
is both not in C and in B: we follow a up to the first point where it enters 
B - but that is if ever a enters into B. To have a guarantee of that, we show 
that a G A using progressivity of A. Let /3 < a i.e. 3n(f5n = an A /3 (n) = 
Aa(n) = 1). By construction of a, a(n) = 1 can only be the case if both 
]8(n + l) = (j8n)*(0) = (an)*(0) G C and a(n+l) = (cw)*(l) £C. 
Because f5(n + 1) G C C 5, we have that /3 G A, which was to be shown. 

From a G A we obtain Z, m such that aZ = 7Tm, and we can finish the 
proof by induction, proving 

\/n < I (a(l -n)£C^ 31' '(al' £ C A al' G B)) . 

In the base case, n = 0, we have by hypothesis that al ^ C, and we have 
from a G A that «7 G 5; so we set /':=/. In the induction case for n + 1 
we consider three possibilities: 

1. if a(l- (n + 1)) * (0) £ C, then ct(Z - (n + 1)) * = a(l - (n + 1) + 
1) = a(l — n)^C and we can use the induction hypothesis; 

2. if a{l - (n+ 1)) * (0) G C and a(l - (n+ 1)) * (1) g C, then a(Z - 
(n + 1)) * (1) = a(Z - (n + 1) + 1) = a(Z - n) and we can use the 
induction hypothesis; 

3. if a(l-(n + l))* (0) G C and a(l - (n + 1)) * (1) G C, as discussed 
above, we get that a(l — (n + l)) G B and we can set I' := I— (n+ 1), 
because by hypothesis we also have that a (I — (n + l)) <£C. 

The first two cases could be merged into one, verifying only whether 
a(Z-(n+l) + l) gC. □ 

Remark 1. In the previous proof, we implicitly used an axiom of count- 
able choice, AC ' , in constructing the sequence a from the decidability 
of C. This use becomes apparent in the formalization of Section HI The 
fact that we use AC 0,0 is important: since MP and DNS are classical the- 
orems, not using AC 0,0 would mean that we have reduced OI (and DC) 
to plain classical logic without choice. 

The following principle of Double-negation Shift (DNS) has been 
isolated by Spector [fT5l as sufficient for extending Godel's functional 



interpretation from Arithmetic to Analysis, thanks to the fact that DNS 
proves the double-negation translation of the axiom of countable choice. 

Axiom 2 (DNS). \/n-i-A(n) — > — i— iVwA(n), for any formula A(n). 

Veldman uses the following version of DNS. 

Axiom 3 (DNS V ). -1-1 Vn(A(n) V ->A(n)), for any formula A(n). 

Remark 2. The proof of equivalence of|2]and|3]is analogous to the proof 
of equivalence between the law of double-negation elimination (DNE) 
and the law of excluded middle (EM). Note, however, that in minimal 
logic, which is intuitionistic logic without the rule of _L-elimination {ex 
falso quodlibet), EM is weaker than DNE JT). We expect a similar result 
for DNS, i.e., that DNS v is weaker than DNS in minimal logic. 

Markov's Principle is the following axiom schema. 
Axiom 4 (MP). For any Z^-formula S, we have that -i-iS — > S. 

Theorem 2. DNS v and MP together imply EnDec. 

Proof. Let the premises of EnDec hold. Given n E N, we have to prove 
n E B, which is a Zj'-formula. We are entitled to apply MP. Now, we 
have to show that — i— i(n E B). Suppose -i(n E B). Thanks to DNS V , it 
suffices to prove _L assuming moreover that B is decidable, i.e., \/n(n E 
B V -i(n E B) ) . We make a case distinction. If n E B we use the hypothesis 
->(n E B) to derive _L. If -i(n E B), we use the premise of EnDec by 
taking A := B (remember B is now assumed decidable). This gives us 
3m(m E B A ->(ra E B)), from which we derive JL. □ 

3 A Constructive Logic Proving EnDec 

In this section, we revise the logical system MQC + of |[T0l and show that 
one can prove in it EnDec without an explicit use of MP, thanks to the 
slightly stronger form of DNS that it proves. 

MQC + is a pure predicate logic system, that, in addition to the usual 
rules of minimal intuitionistic predicate logic, adds two rules for proving 
Z-formulas (formulas without V and — >). The rule "reset", 



■ # ("reset"), 



rKS 



allows one to set a marker (under the turnstile) meaning that one wants 
to prove a .E -formula S. Once the marker is set, one can use the "shift" 
rule, 

■ y ("shift"), 



rh s A 

to prove by a principle related to double-negation elimination from clas- 
sical logic. The idea is to internalize in the formal system the fact, known 
from Friedman-Dragalin's A-translation, that a classical proof of a E®- 
formula can be translated to an intuitionistic proof of the same formula, 
showing that classical proofs of such formulas are in fact constructive. 
The first system built around this internalization idea was Herbelin's (SI 
with the power to derive Markov's Principle. It satisfies, like MQC+, the 
disjunction and existence properties characteristic of plain intuitionistic 
logic. 

The names "shift" and "reset" come from the computational inten- 
tion behind the normalization of these proof rules, Danvy-Filinski's de- 
limited control operators [15161711 . These operators were developed in the 
theory of programming languages with the aim of enabling to write in 
so-called direct style every continuation-passing style (CPS) program. 
Since CPS transformations are known to be one and the same thing as 
double-negation translations |[T3l . one can think of shift/reset in Logic as 
enabling to prove directly theorems whose double-negation translation is 
intuitionistically provable. In order for this facility to remain construc- 
tive, we allow its use only for proving Z -formulas. 

The natural deduction system, with proof term annotations, is given 
in Table |3] The diamond in the subscript of h is a wild-card. The usual 
intuitionistic rules neither "read" nor "write" this marker. The reset rule 
is the one that sets it - if it is not already set, in which case the formula 
S must be the same below and above the line (this kind of use of reset 
would have no logical purpose, but it would affect the course of nor- 
malization). The rule shift is the one that must be assured that we are 
ultimately proving a E -formula, and that is why it can only be applied 
when the marker is set. 

The normalization proof for MQC+ relies on the fact that at most 
one Z -formula is used globally, so, although we can have multiple uses 
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# ("reset") — — " 1 ,y ("shift") 



rh #p:5 rh s ^yt.p:A 
where 5 denotes a X -formula 



Table 1. Natural deduction system for MQC + with proof terms annotating the rules 



of shift and reset in a derivation, all resets must agree on the formula to 
be set at. This suffices for the purpose of the present paper, although in 
future we hope to extend to normalization proof so that we remove this 
limitation. 

The following fact shows the utility of proving with shift and reset. 

Theorem 3. Let S be a E-formula (a V — > -free formula) and A{x) an 
arbitrary formula. The following version ofDNS v , 

((Vjc(A(jc) V (A(jc) -> 5))) ->■ S) -> S, (DNS J) 

is provable in MQC+. 

Proof. Using the proof term XhMh(kx.<¥'k.k(l2(ha.k(l\a))). □ 

This version of DNS V already has some form of MP built in, as can be 
seen from the proof of Theorem HI 

We now state a version of EnDec which is suitable for use in minimal 
logic, where ^-elimination is absent. 

Axiom 5 (A minimal-logic version of Axiom 3}. For any fiCN which 
is recursively enumerable, if 

for any seN and any A C N for which \/x(x E AV (x E A -»■ s E 
B)), and such that A C B, we have that if 3m(m eA—^-sEB) then 
3m((meA^ s G B) Am G B), 

then NCB. 

The following result is the minimal-logic analogue of Theorem |2] 
Theorem 4. In MQC+, one can derive Axiom\5\ 

Proof. Let the premises of Axiom \5\ hold and let n G N. To show that 
n G B, which is a Zj'-formula, we use DNS J for A(x) := x G B and S : = 
n E B. Now, given Vjc(x G B V (* G 5 — > n G 5)), we have to show n G B. 
We use the premise of Axiom [5] for s := n and A := 5, and, using the 
trivial proof of 3m(m G 5 — )■ n G 5) for m := n, the premise gives us a 
proof of 3m(m <EBA(mEB — >nG 5)), from which we derive nE B. □ 

Now, since the proof of Theorem [His purely intuitionistic, it follows 
that one can combine it with the proof of Theorem 0] to derive 01 in 
MQC+, using also AC 0,0 as noted in Remark [Q A precise statement of 
this fact is the subject of the next section. 



4 A Proof Term for Open Induction 



In the previous section, we used arithmetic informally. In this section, we 
give the proof term for 01 that we extracted from the proofs of theorems 
[T] and HI formalized in the system HA® which is the system of axioms 
HA® (from §§1.6.15 of d]) added on top of the predicate logic MQC + . 

First, we take a multi-sorted version of MQC + , that is, given different 
sorts (denoted a, p, x), the language is extended with individual variables 
(denoted x,y,z) of any sort, and, for each sort, with quantifiers and quan- 
tifier natural deduction rules for it. We will not annotate the quantifiers 
with their sorts, since those will be clear from the context; we may anno- 
tate the variables by their sort when we want to avoid ambiguity. 

The sorts can be built inductively, according to the following rules: 
there is a sort named 0; if p and o are sorts, then there is a sort named 
p — > a. The intended interpretation is that the sort stands for N, the sort 
0-^0 stands for functions N ->• M, the sort ((0 -> 0) -»■ 0) for function- 
al (N — > N) — > N, etc. We will employ the word 'type' instead of sort, 
henceforth, and we abbreviate the type — > by 1. 

Now, we add to the language a binary predicate symbol =q for in- 
dividual terms of type 0, intended to be interpreted as (the decidable) 
equality on N. The individual terms will be built from the function sym- 



bols 0° (zero), (■ + 1) 1 (successor), n°^ T ^° andl(^^°)^( a ^) 



the function symbol of juxtaposition which is not explicitly denoted: for 
terms t a ^' c and s°, ts is a term of type T. 

The axioms defining these symbols are (the universal closures of each 



x= Q x, x= y^-y=oz^x=QZ, x= y -^x+ 1 = y + l, 
x =o y — > t[x/z] =o t\y/z] where t[x/z) is the simultaneous 



(combinators), and R. 







(recursor of type 0). There is also 



of): 



substitution of x for z in t 



Uxy 
Zxyz 
RoOyz 



ox 

o xz{yz) 
o y 

o z(Roxyz)x 



R (x +\)yz 



We also add the axiom schema of induction, for arbitrary formula A (x): 

A(0)^Vx(A(x) ->A(x+l))->Vx(A(x)) (IA) 

We shall also need the following axiom of countable choice, which, al- 
though not part of HA^, is an admissible rule for HA ffl : 

Vx°3y°A(x,y) ->• 3(j> l Vx°A(x, Qx) 

Since "=o" is the only predicate symbol, all atomic (prime) formulas 
are of form t =q s. This allows us to show that x =o y — > A(x) — > A(y), by 
induction on the complexity of formula A. 

It is known that using the combinators one may define an individual 
term for lambda abstraction, denoted Xx.t, of type 1, which satisfies the 
usual /3-reduction axiom, (Xx°.s°)t° =o s[t/x]. Using this and the recur- 
sor Ro, one can easily define all the usual primitive recursive functions. 
Using the thus defined predecessor function, and the induction axiom, 
one can derive the remaining Peano axioms, x + 1 =o y + 1 — > x =o y, 
and (x + 1 = 0) — >■ 1 = 0, where we took 1 = instead _L because we are 
in minimal logic. In fact, in the presence of arithmetic, one can prove, 
again by induction, that the rule of _L -elimination (with _L replaced by 
1 = 0) is derivable, although we will not need it. 

Some notational conventions follow. We shall need to speak of bits, 
finite sequences of bits (bit-strings), and infinite sequences of bits (bit- 
streams). Bits and bitstreams can be encoded by natural numbers, but, 
instead of using the type for terms of that kind, to be more precise, 
we will write B and B*. Bitstreams can be encoded by terms of type 

— > 0, but instead of that we will write — > B. Individual variables of 
type B* will be denoted p,q,r,s (possibly with sub/super-scripts), while 
those of type — > B will be denoted a,/3,^ (possibly with sub/super- 
scripts). Concrete bit-string terms may be constructed using the notation 
(■}, like for example (), the empty bit-string, (0), the bit-string of lenght 

1 that contains a 0, (1, 1, 1, 1), the bit-string that contains four 1-s, etc. 
We will denote the operation for concatenation of bit-strings p and q by 
p * q. The operations pn and an produce the prefixing bit-string of length 
n of p and a. Although p is not a function, we will use the notation p(n) 
to extract the n — 1-st bit of p. The operator head(p) returns the first 
bit of p, while tail(p) returns the string that follows the first bit of p. 
We will also use the fact that one can define by primitive recursion a 



(AC°'°) 



term if • • ■ then ■ • • else ■ ■ • of type — > — > — > 0, or, more preciselly, 
B — > B — > B — > B, such that the following equations hold: 



if then y else z =o z 
if x + 1 then y else z=oy 

We will also need the usual operation max : — > — > on numbers. All 
these operations can be defined by a restricted amount of primitive recur- 
sion at higher types, level 3 of the Grzegorcyk hierarchy would suffice. 
Hence we could work in a corresponding subsystem of HA ffl , like for 
example G 3 Af from §3.5 of IfTTTl . 

Let us now formalize the concepts involved in the proof of 01. An 
open set U in Cantor space will be given by a term n of type — > 0, or, 
more preciselly, — > B*, that is, an enumeration of basic opens. Each 
bit- string Tin is a basic open, and membership in the open set, a E U, 
means that a is covered by some basic open. Formally, we define 

a e U iff 3l°3m°(al = nm), 

and we see that membership in U is a E -formula. The relation < on bit- 
streams was already formalized as 

/3 < a iff 3n° (]5n= anA(P(n) = 0Aa(n) = 1)) . 

To formalize the statement of Axiom |51 we represent the recursively 
enumerable set B by a E -formula B(x), and we represent the decidable 
subset A by a characteristic function x% ^ B sucn mat Xa(p) = 1 iff p G A. 
We thus obtain the following formula for Axiom [51 

V* B * (V*r B (MXa(x) = 1 -> B(x)) -> 

3r B *(( XA (r) = l^B( S )))AB(r)))) 

-> Vp B *B(p) 

When we use Axiom Q] to prove 01, we do so for the formula 

B(x) := 3k°Vq Bk 3l 3m°(x*ql = Km), 



where Vg denotes a bounded universal quantifications over bit-strings 
of length k. Hence, B(x) is still a Zf-formula, and such that, for any a, 
3n(an G B) iff a G A. 

The formalized proof term for 01 is shown in Figure [TJ To ease the 
presentation, at certain places, we have put after a semicolon the type 
annotation for individual terms, and the formula for proof terms. Some 
parts, being too long, have been put below the main proof term. 

To not obfuscate the proof term with equality-rewriting terms, we 
suppress the use of equality axioms. It is known that equality proofs have 
no computational content when extracting programs, as they are realized 
by singleton data types. 

X7i:Q^B*.Xh : Va(Vj8 < a(/3 eA)^aeA). 
(#dest ac(kx.yk.k(l2(?ia.k(l\a)))) as (X-b) in 
dest (ha(Xp.X{h' : p <a). 
dest (h' : j8 < a) as (n.h") in 
dest (aiO^fc")) : P{n+1) £ B) as (k.h m ) in 
h'"{{P{n+l))*-'-*{P(n+k)))) : a eA) as (l.c) in 
dest c as (m.d) in 
«/ (Xh.h)a^ l(0,X < q.(l, (m,d)))) 

a ■— Xn. 

Ro(n+ 1, (), (Xzln'.z* (if x{z* (0>) then (if %{z* (1)) then else 1) else 0»)(n) 
ai : a(«) = 1 -> j6(n + 1) £ S := A/i.case a B (x(fi(n + 1))) of 

(ft, .Jf*.(»ri (aa(fc(j8(n+l))))fci ) (m fa (Kj8(»+l))))Ai ) ||*2.«l fa (fc(j8(n+l))))fe) 
«3 := Xn.Xhi : on €fl-> () e 6. Aft : a(n+ 1) £ 6. 
case aB(x{& n * (0))) of 
(/i!.(7i:i^2(^(a(n+l)))Ai)(^i^i(Z7(a(n+l)))A) 
||^2-case (a fl (^(aw*(l)))) of 
(n 2 1 • ( TTi % (* ( a (n + 1 ) ) ) h 2 1 ) ( n x n x (b( a (n + 1 ) ) ) ft) 

11*22-^/04)) 
a\ : an £ B := 

dest {(%\n\(b(an* {0))))h2 : an* (0) £ fi) as (&o./o : ~iq : B*° 3l,m(an* (0) *q I = 7tm)) in 
dest ((fliTTi (b(an* (l))))ft22 : an* (1) £ 5) as (fci./i : : B^ 1 3l,m(an* (i)*ql = Tim)) in 
(max(fco,Jfci) + ■ B max ( i »' i:i )+ 1 .if head( ? ) then /i(tail(g)ifci) else / (tai%)& ) 

Fig. 1. Proof term for OI 

We explain the behaviour of the proof term. Given an enumeration % 
to represent the open set A, and a proof h that A is progressive, it has to 
show that () G B - from this, Voc(oc G A) immediately follows. 



To show () G B, which is a Z-formula, it applies a reset #, and now it 
has to show the same formula, but classical logic in the form of the shift 
rule can be used. Indeed, the proof term Xx.5?k.k(l2(Xa.k{l\d))) proves 
the "decidability" of B: Mx(x G B V (x G B ->■ () G B)). Using the proof 
term ciq for the formula 

Vx(x£BV(x£B-> () GB)) -»- 

BxVx((x(x) = 1 ^x G B) A (x(x) = o (jc G B () G B))), 

we obtain from the decidability, a characteristic function ^ B ^ B for B. 
The proof term ciq is obtained by combining the proof term behind AC ' 
together with a proof term that eliminates disjunction in presence of arith- 
meticB The proof term b proves the characteristic property of X- 

Now, using this x, the bit-stream a that we saw in the proof of Theo- 
rem[T]can be constructed using Ro and if • • • then ■ ■ • else ■ • • . Next, one 
needs to show that a G A. Because, that means that one has found the 
length I at which al is covered by the basic open nm, and then one can 
show that aO = () is in B. This last fact is derived by the proof term 

aj (Xh.h) a^l (0, X < q.(l 1 (m,d))), 

where a; is a proof term behind an instance of the induction axiom show- 
ing V7(ceZ G B — y () eB). The proof term aj uses the proof term which 
derives 

Vn((aneB^-{) eB)^a(n + l) eB-t{)eB) 

as is proved by case analysis, considering all four possibilities for the pair 
{x(&n * (0)) 5 Z(cw * (1))); in one of the cases, the induction hypothesis 
hj needs to be used together with the proof term C14 that shows that an G B 
using the fact that a(n + 1) G B. To generate the disjunction needed for 
the case analysis, one uses a proof term a s for Vx B (x = 0W x = 1 ) . 

It rests to show that a G A. One uses progressivity h: from /3 and a 
proof h! of /3 < a, one extracts n and a proof h" of 

fin = CCn A (j8(n) =oOAa(n) =0 1). 



6 For the proof of this statement, (AVB)f* 3x((x =1hA)a(i = 0« B)), see for example 
§§1.3.7 of f!6l. 



Then, Tli^h" shows a(n) =q 1, and it is for a\ to show that ~an * (0) = 
/3(n + 1) is in B, which shows, with the help of h'", that /3 G A, which 
concludes the proo£|. 

The proof term a\ derives j5(n + 1) E B from a(n) = 1 by making a 
case distinction. For the first case in which x(P (n + 1)) = 0, we have an 
absurdity 0=1. We close the case by the shift rule where the proof term 
hi is used both as of type #(J3(m + 1)) = and x(P( n + 1)) = fl 

5 Conclusion 

The analysis of the computational behaviour of the proof term on con- 
crete examples is future work. To do that completely formally, one needs 
to extract a realizing proof term of AC ' . While that is a simple matter 
for HA®, where one can use Kreisel's modified realizability, we would 
need a different realizability interpretation for HA®, since MP is false in 
modified realizability. 

Also, although a priori our proof term is different from Berger's real- 
izer for 01 0, in the future, we would like to verify whether they behave 
differently operationally. We remark that Berger works with a slightly 
more general form of open set than Coquand and we do. 

We would also like to investigate whether we could adapt a proof 
term for AC 0,0 similar to Herbelin's [@. His interpretation is compatible 
with classical logic and is given in a version of Martin-Lof type theory 
with a weakened version of dependent sums. 

Related is also the research program on realizability in classical logic 
of Krivine Ifl2l . who uses (non-delimited) control operators to built new 
models of classical set theory. 
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7 The proof term a\(wi(TfyU ,s ) proves an* (0) 6 B, from which p(n + 1) 6 B follows using 
equality axioms. As remarked earlier, equality-rewriting is implicit in the proof term. 

8 Alternatively, we could have deduced j8(«+ 1) £ B from = 1 by J_-elimination. 
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